Received: by 2002:a89:d88:0:b0:1fa:5c73:8e2d with SMTP id eb8csp1151769lqb; Sat, 25 May 2024 07:59:10 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCV9iFJLmSyuwTotZNeidq+5pAHCTJhtHCmeL9moR2mOqzO850WwWTmL/ISuEPRQL7ZbX6aRQNRBlegazrnpoPorgfJnXKdE8sRjfb4g+g== X-Google-Smtp-Source: AGHT+IGa+r3wed6EswHxJpr/meW8Q5JlTcfrPZSjE2HmYFUD91GLosoZ4QfCDFYer0ywBX2KOFgd X-Received: by 2002:a05:6359:4c1d:b0:191:96d4:b14d with SMTP id e5c5f4694b2df-197e566557emr647907455d.30.1716649149933; Sat, 25 May 2024 07:59:09 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716649149; cv=pass; d=google.com; s=arc-20160816; b=rvIzxRbNOtbvpMtXUSWkdYfGLOBbtcvlyc4DH9VuXjoaacTGYn/yOaJLK1F1+sPsd7 vAbkARk/R/bIPmPu12X5dHh5jwnnlF2BHf4obPZKcQ3w5Ip23RUQWpgdjdRA98w+OErU MCr3ySPlGxxrp0gy4x/KHbPI7TJHa+Wv/LgzFggFSWsTE7CNFsrrs3kLbtpscxg0xJJR 3C6LT1JZvYJ6rK/pXANKoSrAGG80xD+Jb3VKy5Gp2scP071o2+mUNWjf+ftCnxhNujrn wO9W01UqUWyol3D90K3lidgR0yDj6NP0Vb/52nDkZZ2OkwfARUuAPy6toFqupY+rS/jz G6tg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=VHPLiXIsNVv4WuCaS7ekbfM/TDyHyeP6QTh2jB8T2ME=; fh=VQgke+eber5k6wlMbCqyCI/wJujzJTme6S4YwNCOdkQ=; b=rJ+FczBaxEKiViOQRD/qKnqVeg1/Zv3aaTYvo3Gs03Gp0bmD4vDZUfGyMgSWuJLQ83 E0HKYFRUdt0HaXDt7P0fReGWQZJvZbomeL2RFP92Xb1t+Gan7ric5VQtxU0Ed2eYlQ6s rmveR6o5oEOVq7uFImoGaoXgo3tMJTUXakNrSPxpdFhkNBP1kVDe/TOxitrPIW7qPqDb 7qI3djY30LPLilaEamxJgcWdBOXC6hSAjCmJwMtXaUJEDVhJrvArxCsm4aTMZtT4sdEB LMmS4rTnnboD9BF1WoEwl1s0oV5szphvKUEpGyRMs1XSP+S9obnwYpOwXpwCDbMGI6yI wd2Q==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@bytedance.com header.s=google header.b=PzB2Qpdb; arc=pass (i=1 spf=pass spfdomain=bytedance.com dkim=pass dkdomain=bytedance.com dmarc=pass fromdomain=bytedance.com); spf=pass (google.com: domain of linux-kernel+bounces-189410-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-189410-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=bytedance.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id 41be03b00d2f7-68221b738d6si3190039a12.95.2024.05.25.07.59.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 25 May 2024 07:59:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-189410-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@bytedance.com header.s=google header.b=PzB2Qpdb; arc=pass (i=1 spf=pass spfdomain=bytedance.com dkim=pass dkdomain=bytedance.com dmarc=pass fromdomain=bytedance.com); spf=pass (google.com: domain of linux-kernel+bounces-189410-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-189410-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=bytedance.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 37D97B20D6E for ; Sat, 25 May 2024 14:59:07 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 003D160BBF; Sat, 25 May 2024 14:59:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b="PzB2Qpdb" Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 446865A109 for ; Sat, 25 May 2024 14:58:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.181 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716649139; cv=none; b=dfz1llRQRowXnqCZf0YrBfJAx0oNkbadIZUHEx+CBUvjD71DU9Gl5qWjfxjdOOKJvYuJ55+mOfMnfReRaacd6/LKPA9pFXKFRWAGfxQjEVfgFuNuB9gss0lZ7XTKmvWHpT2s2g3w9Tye2lHbaK6aLbO+XDMQG41eI+CjfItNGjo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716649139; c=relaxed/simple; bh=ctVivX1+W8q8tZAHLWU5NkBdoFQr7AVs+kpkVYw/Sks=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=gxkqv0WNsHVMX26reQbse7Xt5xkkvJ6H9HkbrsgrPrDDhik9aW2HqgctsRON8cA1f5wC7fB7my0rgBH/HxPvMW3GJRB6p/Fb3KnmNSLxEVwlnBBDspU620SYYAs+2EzvIOI/M3ghWYNNth4XrB9E4tdMbZDhdnv+1UZQL0D7RqI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com; spf=pass smtp.mailfrom=bytedance.com; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b=PzB2Qpdb; arc=none smtp.client-ip=209.85.214.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=bytedance.com Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-1f33d84eaefso21356085ad.3 for ; Sat, 25 May 2024 07:58:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1716649136; x=1717253936; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=VHPLiXIsNVv4WuCaS7ekbfM/TDyHyeP6QTh2jB8T2ME=; b=PzB2QpdbpXrjVI/2JJ3DKRcOBW57Uv768YQpjJCsWeu7BFbco0Gb324apd7IT2bIhL IfFwbKBvuil0A95nf0VPkms8zTcK9JwCnROqBZtykFRHbNef6qejOw0THrXf4zP38UmJ zzWoUvOY3W+HLqfNGo3CmxbOvZTtvTh2f2nTnyJ4nf51sWcIiiT10n9kFg1yDMCY6fnq FBx3Hx59FF1ol3xTuYg8Z2K1fEszEXCZ6X1E6PJ0QsdI+EuYOzJtRze+mY5ym0jZrE7v b+GX1kS0G5pSOVbgDE54aeTdLu3IghBeCW/0qHl8etP9IbSup5EcHEI9aAuBPs/3DwDu /WsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716649136; x=1717253936; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=VHPLiXIsNVv4WuCaS7ekbfM/TDyHyeP6QTh2jB8T2ME=; b=w1DrTO2f8a9CyahNunVF5vGtEg9kZmw+24Oc29ANOwsHQxHPqM+VWO4TwzLbFVdjcv afTElpVrk+j94HTMrPVVQDixhiG25Bcecj/tLbHlRolLknYnPJjluLIPXZYvQUzXLKQG Thsmsr72PsG4s6zh5eJnPzw1cmYb1kSZfg5cAObGetru9QZQCUaymQw7CgnNeLJ6vgXs RjPP5XbVdjd3yqTNxZlUzJImS2BSwfMQhlepQZx6Wu3gW4cbQPtQul7IuE/TYuSl5bDD fmSGgTbGhW1lAbAy321iBQSL+xz5+tl5fZyVtSMiYcGUDvVe5On6wpPHXlwhHb1D+9Pj NFqw== X-Gm-Message-State: AOJu0Yz/rsQ/tGH0vv+8IYFgoYJgS1EPHUMZ8OcMiVmqI5EXoJWoGyek cvBicpcHVKjMFXuSO+jXJeM1Z2LRUMaD/V3N0vpZaO0aB7/9qcY/OCe7fT5H0rg= X-Received: by 2002:a17:903:32cb:b0:1f3:52fe:4497 with SMTP id d9443c01a7336-1f4487438d7mr86026535ad.32.1716649136320; Sat, 25 May 2024 07:58:56 -0700 (PDT) Received: from [10.254.221.56] ([139.177.225.226]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-1f44c9a9659sm31193515ad.228.2024.05.25.07.58.52 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 25 May 2024 07:58:55 -0700 (PDT) Message-ID: Date: Sat, 25 May 2024 22:58:49 +0800 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [Linux kernel bug] KASAN: slab-use-after-free Read in pressure_write Content-Language: en-US To: =?UTF-8?Q?Michal_Koutn=C3=BD?= , Sam Sun Cc: linux-kernel@vger.kernel.org, cgroups@vger.kernel.org, hannes@cmpxchg.org, lizefan.x@bytedance.com, tj@kernel.org, syzkaller-bugs@googlegroups.com, xrivendell7@gmail.com References: From: Chengming Zhou In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On 2024/5/25 00:03, Michal Koutný wrote: > On Fri, May 17, 2024 at 03:14:23PM GMT, Sam Sun wrote: >> ... >> We analyzed the root cause of this problem. It happens when >> concurrently accessing >> "/sys/fs/cgroup/sys-fs-fuse-connections.mount/irq.pressure" and >> "/sys/fs/cgroup/sys-fs-fuse-connections.mount/cgroup.pressure". If we >> echo 0 to cgroup.pressure, kernel will invoke cgroup_pressure_write(), >> and call kernfs_show(). It will set kn->flags to KERNFS_HIDDEN and >> call kernfs_drain(), in which it frees kernfs_open_file *of. On the >> other side, when accessing irq.pressure, kernel calls >> pressure_write(), which will access of->priv. So that it triggers a >> use-after-free. > > Thanks for the nice breakdown. > > What would you tell to something like below (not tested). Thanks for the detailed report analysis and this fix patch. I can still reproduce the UAF problem with this patch by running: terminal 1: while true; do echo "some 150000 1000000" > cpu.pressure; done terminal 2: while true; do echo 1 > cgroup.pressure; echo 0 > cgroup.pressure; done Because we still access kernfs_open_file in pressure_write() before cgroup_mutex taken. It seems like a problem with kernfs_drain()? I think it should make sure no active users of kernfs_open_file when it returns, right? Will take a look again. Thanks. > > Regards, > Michal > > -- >8 -- > From f159b20051a921bcf990a4488ca6d49382b61a01 Mon Sep 17 00:00:00 2001 > From: =?UTF-8?q?Michal=20Koutn=C3=BD?= > Date: Fri, 24 May 2024 16:50:24 +0200 > Subject: [PATCH] cgroup: Pin appropriate resources when creating PSI pressure > trigger > MIME-Version: 1.0 > Content-Type: text/plain; charset=UTF-8 > Content-Transfer-Encoding: 8bit > > Wrongly synchronized access to kernfs_open_file was detected by > syzkaller when there is a race between trigger creation and disabling of > pressure measurements for a cgroup (echo 0 >cgroup.pressure). > > Use cgroup_mutex to synchronize whole duration of pressure_write() to > prevent working with a free'd kernfs_open_file by excluding concurrent > cgroup_pressure_write() (uses cgroup_mutex already). > > Fixes: 0e94682b73bf ("psi: introduce psi monitor") > Fixes: 34f26a15611a ("sched/psi: Per-cgroup PSI accounting disable/re-enable interface") > Reported-by: Yue Sun > Reported-by: xingwei lee > Signed-off-by: Michal Koutný > --- > kernel/cgroup/cgroup.c | 17 ++++++++--------- > 1 file changed, 8 insertions(+), 9 deletions(-) > > diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c > index e32b6972c478..e16ebd0c4977 100644 > --- a/kernel/cgroup/cgroup.c > +++ b/kernel/cgroup/cgroup.c > @@ -3777,31 +3777,30 @@ static ssize_t pressure_write(struct kernfs_open_file *of, char *buf, > struct psi_trigger *new; > struct cgroup *cgrp; > struct psi_group *psi; > + ssize_t ret = nbytes; > > cgrp = cgroup_kn_lock_live(of->kn, false); > if (!cgrp) > return -ENODEV; > > - cgroup_get(cgrp); > - cgroup_kn_unlock(of->kn); > - > /* Allow only one trigger per file descriptor */ > if (ctx->psi.trigger) { > - cgroup_put(cgrp); > - return -EBUSY; > + ret = -EBUSY; > + goto out; > } > > psi = cgroup_psi(cgrp); > new = psi_trigger_create(psi, buf, res, of->file, of); > if (IS_ERR(new)) { > - cgroup_put(cgrp); > - return PTR_ERR(new); > + ret = PTR_ERR(new); > + goto out; > } > > smp_store_release(&ctx->psi.trigger, new); > - cgroup_put(cgrp); > > - return nbytes; > +out: > + cgroup_kn_unlock(of->kn); > + return ret; > } > > static ssize_t cgroup_io_pressure_write(struct kernfs_open_file *of,